<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p style="color: #777777;">

<a href="https://gitlab.com/rockdaboot">Tim Rühsen</a>

commented:

</p>

<div style="">

<p dir="auto">Running the test script with <code>bash -x</code> prints the actual command lines of the server and client.</p>

<p dir="auto">No I started the server in one console and the client in a second console:

Server:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$ openssl s_server -accept 43445 -keyform pem -certform pem -key ./../../doc/credentials/x509/key-rsa.pem -cert ./../../doc/credentials/x509/cert-rsa.pem -CAfile ./../../doc/credentials/x509/ca.pem -early_data</span>

<span id="LC2" class="line" lang="plaintext">Using default temp DH parameters</span>

<span id="LC3" class="line" lang="plaintext">ACCEPT</span>

<span id="LC4" class="line" lang="plaintext"></span></code></pre>

<p dir="auto">Now starting client:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$ ../../src/gnutls-cli -p 43445 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL --earlydata /tmp/tls13-openssl-resumption.qF8l0q/earlydata.txt --insecure --inline-commands</span>

<span id="LC2" class="line" lang="plaintext">Processed 0 CA certificate(s).</span>

<span id="LC3" class="line" lang="plaintext">Resolving '127.0.0.1:43445'...</span>

<span id="LC4" class="line" lang="plaintext">Connecting to '127.0.0.1:43445'...</span>

<span id="LC5" class="line" lang="plaintext">- Certificate type: X.509</span>

<span id="LC6" class="line" lang="plaintext">- Got a certificate list of 2 certificates.</span>

<span id="LC7" class="line" lang="plaintext">- Certificate[0] info:</span>

<span id="LC8" class="line" lang="plaintext"> - subject `CN=GnuTLS Test Server (RSA certificate)', issuer `CN=GnuTLS Test CA', serial 0x4de0b4ca, RSA key 2432 bits, signed using RSA-SHA256, activated `2011-05-28 08:39:39 UTC', expires `2038-10-12 08:39:40 UTC', pin-sha256="ZCnc2x+EUztg6ShnEvwtcHxusyXqJ5RJLNCDLc+lVNE="</span>

<span id="LC9" class="line" lang="plaintext">        Public Key ID:</span>

<span id="LC10" class="line" lang="plaintext">                sha1:482334530a8931384a5aeacab6d2a6dece1d2b18</span>

<span id="LC11" class="line" lang="plaintext">                sha256:6429dcdb1f84533b60e9286712fc2d707c6eb325ea2794492cd0832dcfa554d1</span>

<span id="LC12" class="line" lang="plaintext">        Public Key PIN:</span>

<span id="LC13" class="line" lang="plaintext">                pin-sha256:ZCnc2x+EUztg6ShnEvwtcHxusyXqJ5RJLNCDLc+lVNE=</span>

<span id="LC14" class="line" lang="plaintext"></span>

<span id="LC15" class="line" lang="plaintext">- Certificate[1] info:</span>

<span id="LC16" class="line" lang="plaintext"> - subject `CN=GnuTLS Test CA', issuer `CN=GnuTLS Test CA', serial 0x00, RSA key 2432 bits, signed using RSA-SHA256, activated `2011-05-28 08:36:30 UTC', expires `2038-10-12 08:36:33 UTC', pin-sha256="Q6gIwA8tsmcqv+Fmom0cnzs9jZGV+iyqEIx0AQtfCQE="</span>

<span id="LC17" class="line" lang="plaintext">- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. </span>

<span id="LC18" class="line" lang="plaintext">*** PKI verification of server certificate failed...</span>

<span id="LC19" class="line" lang="plaintext">- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)</span>

<span id="LC20" class="line" lang="plaintext">- Options:</span>

<span id="LC21" class="line" lang="plaintext">- Handshake was completed</span>

<span id="LC22" class="line" lang="plaintext"></span>

<span id="LC23" class="line" lang="plaintext">- Simple Client Mode:</span>

<span id="LC24" class="line" lang="plaintext"></span></code></pre>

<p dir="auto">The output in the server console is</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">No early data received</span>

<span id="LC2" class="line" lang="plaintext">DONE</span>

<span id="LC3" class="line" lang="plaintext">shutting down SSL</span>

<span id="LC4" class="line" lang="plaintext">CONNECTION CLOSED</span></code></pre>

<p dir="auto">But the client is still waiting - I had to manually ctrl-d.

The server clearly says "No early data received".</p>

<p dir="auto"><em>Without</em> ASAN, the server says</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"> openssl s_server -accept 43445 -keyform pem -certform pem -key ./../../doc/credentials/x509/key-rsa.pem -cert ./../../doc/credentials/x509/cert-rsa.pem -CAfile ./../../doc/credentials/x509/ca.pem -early_data</span>

<span id="LC2" class="line" lang="plaintext">Using default temp DH parameters</span>

<span id="LC3" class="line" lang="plaintext">ACCEPT</span>

<span id="LC4" class="line" lang="plaintext">No early data received</span>

<span id="LC5" class="line" lang="plaintext">-----BEGIN SSL SESSION PARAMETERS-----</span>

<span id="LC6" class="line" lang="plaintext">MIGDAgEBAgIDBAQCEwIEILIL+Ng522T/+Y/32o1W59+8WwnnV6AkKIk+pNDsdSVl</span>

<span id="LC7" class="line" lang="plaintext">BDAlRh28LW5ilioqwzOBltY/bphABnQnfAIlWcP72SJkmNNKQXXxSgZjY8/A24Jq</span>

<span id="LC8" class="line" lang="plaintext">uFahBgIEXjA/QqIEAgIcIKQGBAQBAAAArgYCBBRRkzivBAICQAA=</span>

<span id="LC9" class="line" lang="plaintext">-----END SSL SESSION PARAMETERS-----</span>

<span id="LC10" class="line" lang="plaintext">Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</span>

<span id="LC11" class="line" lang="plaintext">Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1</span>

<span id="LC12" class="line" lang="plaintext">Shared Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512</span>

<span id="LC13" class="line" lang="plaintext">Supported Elliptic Groups: P-256:P-384:P-521:X25519:X448:0x0100:0x0101:0x0102:0x0103:0x0104</span>

<span id="LC14" class="line" lang="plaintext">Shared Elliptic groups: P-256:P-384:P-521:X25519:X448</span>

<span id="LC15" class="line" lang="plaintext">CIPHER is TLS_AES_256_GCM_SHA384</span>

<span id="LC16" class="line" lang="plaintext">Secure Renegotiation IS NOT supported</span></code></pre>

<p dir="auto">And again we see "No early data received".</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/920#note_278092842">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/eb4e72ee62f645b9970af35643ffe869/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/920#note_278092842"}}</script>

</p>

</div>

</body>

</html>